Q64 — AWS DOP-C02 Ch.1
Question 64 of 100 | ← Chapter 1
A multinational company uses AWS Control Tower to manage multiple AWS accounts. It hosts internal applications and public-facing applications. Each application team has its own AWS account for application hosting. These accounts are consolidated into an organization in AWS Organizations. One AWS Control Tower member account serves as a centralized DevOps account, hosting CI/CD pipelines that application teams use to deploy applications to their respective target AWS accounts. Deployment IAM roles reside in the centralized DevOps account. An application team is attempting to deploy its application to an Amazon Elastic Kubernetes Service (Amazon EKS) cluster in its application AWS account. A deployment IAM role exists in the application AWS account. The deployment is performed via an AWS CodeBuild project configured in the centralized DevOps account. The CodeBuild project uses CodeBuild’s IAM service role. Deployment fails with an 'access denied' error when CodeBuild attempts to connect to the cross-account EKS cluster. Which solution resolves this error?
- A. Configure the application account’s deployment IAM role to establish a trust relationship with the centralized DevOps account. Configure the trust relationship to allow sts:AssumeRole. Configure the application account’s deployment IAM role with required permissions for the EKS cluster. Configure the EKS cluster’s aws-auth ConfigMap to map the role to appropriate Kubernetes system permissions.
- B. Configure the centralized DevOps account’s deployment IAM role to establish a trust relationship with the application account. Configure the trust relationship to allow sts:AssumeRole. Configure the centralized DevOps account’s deployment IAM role with required permissions for CodeBuild. ✓
- C. Configure the centralized DevOps account’s deployment IAM role to establish a trust relationship with the application account. Configure the trust relationship to allow sts:AssumeRoleWithSAML. Configure the centralized DevOps account’s deployment IAM role with required permissions for CodeBuild.
- D. Configure the application account’s deployment IAM role to establish a trust relationship with the AWS Control Tower management account. Configure the trust relationship to allow sts:AssumeRole. Configure the application account’s deployment IAM role with required permissions for the EKS cluster. Configure the EKS cluster’s aws-auth ConfigMap to map the role to appropriate Kubernetes system permissions.
Correct Answer: B. Configure the centralized DevOps account’s deployment IAM role to establish a trust relationship with the application account. Configure the trust relationship to allow sts:AssumeRole. Configure the centralized DevOps account’s deployment IAM role with required permissions for CodeBuild.
Explanation
The deployment failure stems from insufficient permissions for the CodeBuild service role (in the centralized DevOps account) to interact with resources in the application account’s EKS cluster. Option A correctly configures the application account’s deployment IAM role to trust the centralized DevOps account and allow sts:AssumeRole. This enables CodeBuild (running in DevOps) to assume the application account’s role and gain necessary EKS access. The aws-auth ConfigMap then maps that assumed role to appropriate Kubernetes RBAC permissions. Option B incorrectly attempts to grant CodeBuild permissions *within* the DevOps account instead of enabling cross-account access. Option C uses SAML-based assumption, which is irrelevant here. Option D misdirects trust to the Control Tower management account—not the DevOps account performing the deployment. Thus, Option A is correct.